[kernel] r16579 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Nov 20 23:32:02 UTC 2010 

Author: dannf
Date: Sat Nov 20 23:31:59 2010
New Revision: 16579

Log:
can-bcm: fix minor heap overflow (CVE-2010-3874)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 23:13:40 2010	(r16578)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Nov 20 23:31:59 2010	(r16579)
@@ -24,6 +24,7 @@
      - Limit socket I/O iovec total length to INT_MAX.
      - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
   * net: ax25: fix information leak to userland (CVE-2010-3875)
+  * can-bcm: fix minor heap overflow (CVE-2010-3874)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch	Sat Nov 20 23:31:59 2010	(r16579)
@@ -0,0 +1,31 @@
+commit c90009b2c4900984bcb1220d67c0b03c5fa19322
+Author: Oliver Hartkopp <socketcan at hartkopp.net>
+Date:   Tue Aug 17 08:59:14 2010 +0000
+
+    can-bcm: fix minor heap overflow
+    
+    [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    On 64-bit platforms the ASCII representation of a pointer may be up to 17
+    bytes long. This patch increases the length of the buffer accordingly.
+    
+    http://marc.info/?l=linux-netdev&m=128872251418192&w=2
+    
+    Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Signed-off-by: Oliver Hartkopp <socketcan at hartkopp.net>
+    CC: Linus Torvalds <torvalds at linux-foundation.org>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 4d21e40..061df5e 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -120,7 +120,7 @@ struct bcm_sock {
+ 	struct list_head tx_ops;
+ 	unsigned long dropped_usr_msgs;
+ 	struct proc_dir_entry *bcm_proc_read;
+-	char procname [9]; /* pointer printed in ASCII with \0 */
++	char procname [20]; /* pointer printed in ASCII with \0 */
+ };
+ 
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sat Nov 20 23:13:40 2010	(r16578)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sat Nov 20 23:31:59 2010	(r16579)
@@ -20,3 +20,4 @@
 + bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
 + bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
 + bugfix/all/net-ax25-fix-information-leak-to-userland.patch
++ bugfix/all/can-bcm-fix-minor-heap-overflow.patch

More information about the Kernel-svn-changes mailing list